Explicitly reject CGI output which includes a Transfer-Encoding

header, rather than drop it and send what's likely to be an unexpected
or corrupted response.

* modules/generators/cgi_common.h (cgi_handle_response): Send a 502
  error if Transfer-Encoding is present in the response headers.

PR: 68970
Github: closes #444


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1917835 13f79535-47bb-0310-9956-ffa450edef68

2 files changed, 10 insertions, 1 deletions

diff --git a/changes-entries/pr68970.txt b/changes-entries/pr68970.txt
new file mode 100644
index 0000000000..e598230a53
--- /dev/null
+++ b/changes-entries/pr68970.txt
@@ -0,0 +1,4 @@
+  *) mod_cgi/mod_cgid: Reject CGI output with a Transfer-Encoding
+     header to avoid unexpected or corrupted responses.  PR 68970.
+     [Joe Orton]
+
diff --git a/modules/generators/cgi_common.h b/modules/generators/cgi_common.h
index 7c985a7e1c..c8571321d1 100644
--- a/modules/generators/cgi_common.h
+++ b/modules/generators/cgi_common.h
@@ -438,7 +438,12 @@ static int cgi_handle_response(request_rec *r, int nph, apr_bucket_brigade *bb,
          */
         if (!apr_table_get(r->subprocess_env, AP_TRUST_CGILIKE_CL_ENVVAR))
             apr_table_unset(r->headers_out, "Content-Length");
-        apr_table_unset(r->headers_out, "Transfer-Encoding");
+
+        if (apr_table_get(r->headers_out, "Transfer-Encoding") != NULL) {
+            apr_brigade_cleanup(bb);
+            return log_scripterror(r, conf, HTTP_BAD_GATEWAY, 0, APLOGNO(10501),
+                                   "script sent Transfer-Encoding");
+        }
 
         if (ret != OK) {
             /* In the case of a timeout reading script output, clear